I'm attempting to start a standalone Elastic Agent on a Windows 10 machine (which has Winlogbeat working successfully on it) and have all of the proper files on my machine, along with an elastic-agent.yml file with the updated configurations that Elastic suggested for my intended integrations and stack configuration. I successfully installed the Elastic Agent but when I run ./elastic-agent -c elastic-agent.yml -e, it fails with an error of "Error: could not start the HTTP server for the API: failed to listen on the named pipe \.\pipe/elastic-agent: open \.\pipe\elastic-agent: Access is denied. I can ping the Ubuntu machine that's hosting both Elasticsearch and Kibana and connect to the web interface on the Windows machine. Both of these machines are VMs being hosted on a central server. I also copied the configuration for elastic-agent.yml directly from Elastic, as the instructions for setting up my integration told me to do. My config file (excluding creds and the like) is as follows:
id: eef76910-f895-11ec-99b2-692df87823c2
revision: 3
outputs:
default:
type: elasticsearch
hosts:
- 'https://--:9200'
ssl.ca_trusted_fingerprint: --
username: '--'
password: '--'
output_permissions:
default:
_elastic_agent_monitoring:
indices:
- names:
- logs-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.auditbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.auditbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.cloudbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.cloudbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.osquerybeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.elastic_agent-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.heartbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.endpoint_security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.metricbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.fleet_server-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.filebeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.heartbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.osquerybeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.endpoint_security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.fleet_server-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.metricbeat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-elastic_agent.packetbeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.filebeat-default
privileges:
- auto_configure
- create_doc
- names:
- logs-elastic_agent.packetbeat-default
privileges:
- auto_configure
- create_doc
_elastic_agent_checks:
cluster:
- monitor
system-1:
indices:
- names:
- logs-system.auth-default
privileges:
- auto_configure
- create_doc
- names:
- logs-system.syslog-default
privileges:
- auto_configure
- create_doc
- names:
- logs-system.application-default
privileges:
- auto_configure
- create_doc
- names:
- logs-system.security-default
privileges:
- auto_configure
- create_doc
- names:
- logs-system.system-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.cpu-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.diskio-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.filesystem-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.fsstat-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.load-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.memory-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.network-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.process-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.process.summary-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.socket_summary-default
privileges:
- auto_configure
- create_doc
- names:
- metrics-system.uptime-default
privileges:
- auto_configure
- create_doc
Alienvault:
indices:
- names:
- logs-ti_otx.threat-default
privileges:
- auto_configure
- create_doc
elastic_agent-1:
indices: []
agent:
monitoring:
enabled: true
use_output: default
namespace: default
logs: true
metrics: true
inputs:
- id: logfile-system-d1ff1963-a1af-4e94-a278-641905d94f2c
name: system-1
revision: 1
type: logfile
use_output: default
meta:
package:
name: system
version: 1.16.2
data_stream:
namespace: default
streams:
- id: logfile-system.auth-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.auth
type: logs
paths:
- /var/log/auth.log*
- /var/log/secure*
exclude_files:
- .gz$
multiline:
pattern: ^\s
match: after
processors:
- add_locale: null
- id: logfile-system.syslog-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.syslog
type: logs
paths:
- /var/log/messages*
- /var/log/syslog*
exclude_files:
- .gz$
multiline:
pattern: ^\s
match: after
processors:
- add_locale: null
- id: winlog-system-d1ff1963-a1af-4e94-a278-641905d94f2c
name: system-1
revision: 1
type: winlog
use_output: default
meta:
package:
name: system
version: 1.16.2
data_stream:
namespace: default
streams:
- id: winlog-system.application-d1ff1963-a1af-4e94-a278-641905d94f2c
name: Application
data_stream:
dataset: system.application
type: logs
condition: '${host.platform} == ''windows'''
ignore_older: 72h
- id: winlog-system.security-d1ff1963-a1af-4e94-a278-641905d94f2c
name: Security
data_stream:
dataset: system.security
type: logs
condition: '${host.platform} == ''windows'''
ignore_older: 72h
- id: winlog-system.system-d1ff1963-a1af-4e94-a278-641905d94f2c
name: System
data_stream:
dataset: system.system
type: logs
condition: '${host.platform} == ''windows'''
ignore_older: 72h
- id: system/metrics-system-d1ff1963-a1af-4e94-a278-641905d94f2c
name: system-1
revision: 1
type: system/metrics
use_output: default
meta:
package:
name: system
version: 1.16.2
data_stream:
namespace: default
streams:
- id: system/metrics-system.cpu-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.cpu
type: metrics
metricsets:
- cpu
cpu.metrics:
- percentages
- normalized_percentages
period: 10s
- id: system/metrics-system.diskio-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.diskio
type: metrics
metricsets:
- diskio
diskio.include_devices: null
period: 10s
- id: system/metrics-system.filesystem-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.filesystem
type: metrics
metricsets:
- filesystem
period: 1m
processors:
- drop_event.when.regexp:
system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
- id: system/metrics-system.fsstat-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.fsstat
type: metrics
metricsets:
- fsstat
period: 1m
processors:
- drop_event.when.regexp:
system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)
- id: system/metrics-system.load-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.load
type: metrics
metricsets:
- load
condition: '${host.platform} != ''windows'''
period: 10s
- id: system/metrics-system.memory-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.memory
type: metrics
metricsets:
- memory
period: 10s
- id: system/metrics-system.network-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.network
type: metrics
metricsets:
- network
period: 10s
network.interfaces: null
- id: system/metrics-system.process-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.process
type: metrics
metricsets:
- process
period: 10s
process.include_top_n.by_cpu: 5
process.include_top_n.by_memory: 5
process.cmdline.cache.enabled: true
process.cgroups.enabled: false
process.include_cpu_ticks: false
processes:
- .*
- id: >-
system/metrics-system.process.summary-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.process.summary
type: metrics
metricsets:
- process_summary
period: 10s
- id: >-
system/metrics-system.socket_summary-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.socket_summary
type: metrics
metricsets:
- socket_summary
period: 10s
- id: system/metrics-system.uptime-d1ff1963-a1af-4e94-a278-641905d94f2c
data_stream:
dataset: system.uptime
type: metrics
metricsets:
- uptime
period: 10s
- id: httpjson-ti_otx-ea96ba59-9622-40c4-a93d-4af43c773255
name: Alienvault
revision: 1
type: httpjson
use_output: default
meta:
package:
name: ti_otx
version: 1.3.2
data_stream:
namespace: default
streams:
- id: httpjson-ti_otx.threat-ea96ba59-9622-40c4-a93d-4af43c773255
data_stream:
dataset: ti_otx.threat
type: logs
config_version: '2'
interval: 5m
request.method: GET
request.url: 'https://otx.alienvault.com/api/v1/indicators/export'
request.timeout: 30s
request.transforms:
- set:
target: header.Content-Type
value: application/json
- set:
target: header.X-OTX-API-KEY
value: --
- set:
target: url.params.modified_since
value: '[[.cursor.timestamp]]'
default: '[[ formatDate (now (parseDuration "-400h")) "RFC3339" ]]'
response.split:
target: body.results
response.pagination:
- set:
target: url.value
value: '[[ .last_response.body.next ]]'
cursor:
timestamp:
value: '[[ formatDate (now (parseDuration "-1h")) "RFC3339" ]]'
tags:
- forwarded
- otx-threat
publisher_pipeline.disable_host: true